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Docket No. 2455-4581US1 

TITLE OF THE INVENTION 

Method For Generating Many-Time Restrictive Blind Signatures 

Inventor: Gerrit Bleumer 

RELATED APPLICATIONS : 

This application is based on U.S. Provisional Serial No. 60/161,062, filed October 25, 

1999. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The invention disclosed broadly relates to cryptography and more particularly 

relates to digital signature methods. 

In contrast to conventional digital signature schemes, blind signature schemes 
allow the recipient to obtain signatures for messages that the signer does not learn. If the 
recipient can get only one signed message from each execution of the signing operation by the 
signer, then the blind signature scheme is called one-time, otherwise it is called many-time. 
Many-time blind signatures have been used to build untraceable tickets, called credentials. Such 
tickets can be issued by one organization and verified by another. Each customer uses different 
pseudonyms with each organization and a ticket is simply a blind signature for a customer 
pseudonym. The blinding property allows one to use different pseudonyms for issuing and 
showing a ticket. Even if all organizations collude, they cannot trace which tickets belong to 
which customers. One-time blind signatures have been used to build practical offline and online 
untraceable electronic cash schemes, where the issuing organizations are banks, the recipients are 
merchants and the tickets can be used only once. Most electronic cash schemes based on blind 
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signatures use the one-time form, mainly to avoid the problem of multiple copies of the same 
electronic coin. 

For offline untraceable electronic cash, double spending of coins should be 
detectable after the fact, so that double spenders are identifiable if and only if they use a coin 
5 more than once. This problem has been addressed by using restrictive one-time blind signatures. 
The customer's identity is embedded into her pseudonyms in such a way that it is revealed if and 
only if she double spends. A general blind signature scheme would allow a customer to also 
obtain coins for pseudonyms of other customers or for pseudonyms that are not assigned to 
anyone. In contrast, restrictive blind signature schemes guarantee that customers form their 
*1 0 pseudonyms in a way that preserves the customer' s identity, which the signer has encoded into 
If each issued pseudonym. 

J : A related application area is untraceable membership cards, which can be stored in 

J" palmtops, smartcards, etc. Owners may use their membership cards online or offline, arbitrarily 

O often, and in an untraceable way, i.e., several uses of the same card cannot be linked by the 

4 " z 1 5 respective verifiers. However, issuers of membership cards require that membership cards can be 

C used only by their owners, not by other individuals, even if the owners wish to lend their 

membership cards away. Purely cryptographic solutions to this problem cannot exist because 
whether a membership card is actually used by its owner or someone else, is not distinguishable 
by cryptographic means. It has been suggested to use a wallet-with-ob server architecture, where 
20 every user has a personal device (wallet) that is in part controlled by an implanted tamper 
resistant security module (observer). The observers can be equipped with a biometric sensor 
which is a sufficiently powerful hardware basis for the problem at hand. The prior art relies 
heavily on the tamper resistance of observers, because if an attacker breaks his observer he can 

2 

17069J 



Docket No. 2455-4581US1 

not only lend his own membership cards to other individuals, but he can also forge new 
membership cards. Another approach relies on the tamper resistance of only observers with 
respect to transferability of membership cards. Attackers who break their observers can at most 
pool all the membership cards they already have, but cannot produce new ones. The approach 
5 includes a "cascade "signature scheme which has not been implemented. 

What is needed in the prior art is a restrictive blind signature scheme that allows a 
recipient to obtain signatures for arbitrarily many (correctly formed) messages after only one 
interaction with the signer. 

glO SUMMARY OF THE INVENTION 

* A multiple use ticket generating method is disclosed which enables a recipient to 

J" - obtain signatures for arbitrarily many (correctly formed) messages after only one interaction with 
7 the signer. The method provides a blind signature in a ticket, the signature having a multiple use 
G with a built-in expiration. Then, the method develops a blinding value for the signature in a 
£ 1 5 reproducible computation using a seed key substantially known only to the issuer of the ticket. 
O The method implements a new class of man-time restrictive blind signature schemes almost as 

efficiently as do previous one-time restrictive blind signature methods. 

The resulting ticket can be in the form of an electronic personal ticket, such as a season 

ticket for sporting events. Other forms for the ticket can include a personal license, such as a 
20 personal driver's license. The ticket has the property of being untraceable and has the advantage 

that the signature does not require an interactive signing protocol. 
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DESCRIPTION OF THE FIGURES 

Figure 1 shows a method for producing a signature. 
Figure 2 shows a method for transforming a signature. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

An efficient implementation of a many-time restrictive blind signature scheme is 
disclosed. It uses no hash function, is about as efficient as previous one-time restrictive blind 
signature methods, and its security rests on a similar assumption as that of the ElGamal signature 
scheme. Applications for the new signature scheme are untraceable offline personal tickets, e.g., 
monthly season tickets, driver's licenses, or coupons that can be used multiple times until they 
expire. A computer system for carrying out the method of the invention is a standard general 
purpose data processor that includes a random access memory to store the program embodiment 
of the invention and a central processor to execute the instructions in the program embodiment. 
The computer system is connected to a network to generate and circulate untraceable tickets, 
licenses, or coupons that can be used multiple times until they expire. 
Definitions 

A definition follows of many-time restrictive blind signatures. The formalization of 
restrictiveness follows ideas of Brands [B93], Franklin and Yung [FY93] and Pfitzmann and 
Sadeghi [PS99]. 

Definition 1 (Many-time restrictive blind signature). 

A many-time restrictive blind signature scheme consists of a security parameter k e IN, a 

signing key space X, a verifying key space Y, a message space M, a signature space X, a blinder 
space Q, a witness space W 9 and a relation make <^MxW. Also included is an equivalence 
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relation on ^(equivalent witnesses v,w e Ware denoted v = w), more precisely, there are 

families of all these domains indexed by the security parameter k. If (w, m) e make then we say 

that witness w makes message m. At system setup time, a particular security parameter is chosen 

and from then on, only one instance of each domain is used. Also included are two probabilistic 

5 protocol algorithms gen, sign, a probabilistic protocol trans of two participants Bob and Verifier, 

and a deterministic algorithm verify, which are declared as follows: 

(x, y) <- gen (k) <*<- sign(x, m) 

(m\ &) <- trans (y, m, cr, w) acc <- verify (y, m, cr) . 

All of them are efficiently computable. Given a security parameter k , the key generating 
0 algorithm gen returns a pair of a private signing key x e X and a public verification key y e Y. 

""as::- 

h The algorithm sign takes as input a signing key x e X and a message to e M. It returns a 
^ signature ere The protocol trans takes as input for both Bob and the Verifier a verification 
y key y , and only for Bob a message to, a signature a and a blinder After the protocol, both 
p Bob and the Verifier return the same message to* and signature o\ The algorithm verify takes as 
^ 15 input a public key y , a message to e Mand a signature cr e Xand returns a Boolean value acc. 
u If verify (y m, a) returns True then the signature cr is called valid for to with respect to public 
key y 9 or the pair (to, a) is va//</ for y. 

EFFECTIVENESS: For every security parameter k 9 every key pair (x, y) <- gen(k) 9 and 
every message to e Mthe algorithm sign (x, to ^ produces a valid signature a for to. For all 
20 inputs as above, every blinder a> e Q and every signature a e E valid for to the algorithm /raws 
(>, to, o; ^ returns a valid signature & for to'. 

RESTRICTIVENESS with respect to make and =: Every polynomial-time attacker who 
(i) obtains valid signatures ai (/ = 0. . .n) from the signer for respective messages to,- of his 

5 
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(adaptive) choice. The choice of each message he asks to be signed may depend on all messages 
previously chosen and the corresponding responses by the signer. The attacker also (ii) comes 
up with anew message m "and signature a ' and (iii) delivers n +1 witnesses co J? co 2 , ©„, o'has 
only a negligible chance of achieving the following event: The signature a 'is valid for m the 
5 witnesses ©,-, co ' each match their messages m h m "and the witness co 'is not equivalent to any of 
the witnesses o, if any. 

UNLINKABILITY: Let (m, o), (m ', a) be two pairs valid with respect to y. Then for 
each internal choice r v of the Verifier in trans , there is a unique blinder co e £2 and a unique 
a internal choice, (i.e., a sequence of random bits used by a probabilistic algorithm) r B for Bob in 
ClO algorithm trans, such that the execution of trans (y, m, a, co) with internal choices r B , r v returns 

J Note that previous one-time blind signature schemes use an interactive signing protocol 

M from which the recipient gets a message and signature that he can later show to a verifier without 
f U interaction. Many-time blind signature schemes use a non-interactive signing protocol from 
5l 5 which the recipient gets a message and signature that he can later transform and thereby show to 
many verifiers. 

3 The Rust Signature Scheme 

The proposed many-time blind signature scheme is referred to herien as "RUST". 
The standard discrete log setting is adopted. Let p be a large prime, q be a large prime divisor of 
20 p -1 . Typically, p and q will be chosen about 1024 bit and 160 bit long, respectively [099]. 
Then % p has a unique subgroup G q of order q and since J jp is cyclic, so is G g . Letg, g\ be 
generators of G q that are chosen uniformly at random. 
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The private and public key spaces are ZZ q and G q , respectively. The message 
space is M= Q q \ {1 }, where Q* g is G q except all members that disappear modulo q. The 

signature space is S = Q q * ZZ q x 2Z* ,the space of blinders is /2 = , the witness 
space is W=ZZq, the making relation is 

make - {(#w,tf>) e M x ff|m = mod /?} , 

and any two witnesses are equivalent, i.e., Vv, w e W : v = w. Key generation is 
by choosing a signing key x e X uni}0 rmiy at random and computing the corresponding verification 
key ^ = g*mod/?. 

A signature^, s, t) € X(thus the name of the scheme)is valid for message m e M 
with respect to public key y if the following equation holds: 

verify (y,m y <j) = = v w+/ m ffl V rr mod j9 . (1) 
A pair (m 9 a) is called terminated if t = -m mod ^ , otherwise it is called/ras/z. 

3.1 Producing Signatures 

Let the generator g 9 and a key pair (x, y) be setup as above. A signature for a 
given message m e Mis constructed as shown in Figure 1 : 

One chooses a, b e R ZZ q uniformly at random such that a+bm * -1 (mod q) in 
step (1) and computes the signature component r in step (2). If any of the values r, r -mx or (a + 
bm) rmx disappears modulo q 9 then the execution needs to be repeated from step (1). In step (3), 
the remaining signature values s, t are computed. 

3.2 Transforming Signatures 

Given a verification key y and a blinder co e Q, a fresh pair (m, (r, s,t))eM*Z 
of a message and a signature is transformed into another pair {m\ (r' f s\ 0). The blinder co is 
required such that m® mod p * 0 (mod q) (see Figure 2): In step (1) through (5) Bob forms the 
new message m ' and the signature component r ' = m a r b g c y d such that: 



7 

17069J 



Docket No. 2455-4581US1 



rt a . ms — co(r + s)m' 1 c c j , 

1 . the exponents b = d and c = - + d ^ ; are functions of a and d, 

m + t com o)(m + t)m m 

2. the Verifier does not learn any information about Bob's input m, (r, s, t), 

3. even if Bob deviated from the protocol, he could not end up with some r' for which he has a 
representation with respect to m, r, g only, i.e., d = 0. 

5 In detail, Bob chooses uniformly at random an auxiliary value a e R ZZq, and the 

Verifier chooses d e« ZZq (step (1)). Then Bob computes the output message m'=m a mod/? in 
step (2). Bob further computes the auxiliary values ((3, y) and the preliminary signature 
component r in step (3). After sending m', r to the Verifier, he obtains in return the Verifier's 
choice d in order to compute the signature component r' in step (5). So does the Verifier. Only 
1 0 in the case if d or r' disappears modulo q must the protocol be repeated from step (1 ). Next, Bob 
^; computes the exponents a, b according to step (6) and the signature components s', t' according 
C ; to step (7). He finally sends the signature components s t' to the Verifier. Figure 2 illustrates 
]z transforming a signature. 

^ Remark 2. The RUST signature scheme ensures that signers always produce fresh 

= 1 5 pairs of messages and signatures and that only fresh pairs can be transformed. Note that if t = -m 
% mod q some quotients in trans were undefined. However, transformed pairs are always 
="y terminated, so that a Verifier cannot transform a pair further. This feature of RUST is not 
C implied by restrictiveness (Definition 1). 

The protocol trans can be made non-interactive if one is willing to rely on the 
20 obscurity of some hash function H as in the standard Fiat-Shamir technique [FS87] : Instead of 
sending m', r after step (3) and obtaining the Verifiers choice d in return, Bob can compute d = 
H(y, m', r) after step (3) by himself. After step (7), Bob then sends m\ r, s', t' to the Verifier. 
Finally, the Verifier checks in addition to the verification equation (1) whether r ' = (ry) H(y ' m ' r *V 

Mm' 

25 The witness equivalence used for the RUST signature scheme is degenerate in the 

sense that any two witnesses are equivalent. This is no weakness of the RUST signature scheme, 
but allows producing and transforming signatures quite efficiently. Note that Brands suggests to 
use his one-time restrictive blind signature scheme for offline e-cash [B93] with the same 
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degenerate witness equivalence (and function make). In offline e-cash, the price for the 
increased performance is computational instead of unconditional non-frameability. For many- 
time restrictive blind signatures, like the RUST scheme, signer identification by (more than one) 
signatures is no issue, and thus framing of signers is no issue either. 

4. Main Result 

In order to analyze the security of a proposed many-time restrictive blind 
signature scheme, referr to here as RUST, one needs the following two assumptions. These 
assumptions are not among the intensely investigated complexity theoretic assumptions like the 
discrete logarithm assumption [MOV97]. Nevertheless, they also underlie for example the 
ElGamal signature scheme and its derivatives without having been made explicit in previous 
work. 

Assumption 1. 

For some natural number n s IN, let g t (i e [1, «]) be generators of G g , and define 

the function 

n 

fc (^*2.-".*.)=n^ mod * 

i=n 

that takes arguments x = (x x , x 2 , . . . , x n ) e ZZ q n \ {(0, 0, . . . , 0)}. Then the function 

F „ 0 (x) mod q 

is an implementation of a random oracle [BR93]. (Note the difference of the moduli/? and q\) 
Assumption 2. 

If at all, a polynomial-time attacker A can compute valid pairs of messages and 
signatures with respect to a given verification key but then only as follows: 

- First pick a set of n > 1 generators h\, ■»> h n ofG q , 

- choose tuples a, b e ZZ n q , 

-form the message m'= F K A (a) and the signature component r f " = F K K (b), 

- and finally compute the signature components 5', f. 
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Without loss of generality, the attacker can be assumed to pick the generators h n ...,h n such 
that he cannot feasibly find a representation of 1 with respect to h } , . . . ,h n in G q . Otherwise, he 
could represent at least one of the generators with respect to the others, and thus he could pick a 
proper subset of {h, ,...,/*„} in the first step above, adapt the following steps accordingly and end 
5 up with the same result {m\ (r',s'J f )). 

A similar assumption has been used to reason about the security of ElGamal signatures 
[EG85], but those assumptions were left implicit. 

Theorem 3. Under assumptions Al andA2, RUST is a many-time restrictive blind signature 
scheme. 

10 Proof. Check effectiveness, restrictiveness and blindness in turn. 

Effectiveness of sign: Under Assumption Al, the probability to make a choice a, b e ZZ q such 

that any of the values r y r-mx or D— (a + bm)r + mx disappears modulo q is negligible and so 
is the probability to repeat step (2) of algorithm sign. In order to verify algorithm sign (see 
Figure 1), insert its output into the right hand side of verification equation (1): 

y ^t m ms r rt = g ^) m ™s( m a g byt 

r-mx^ amr. . amr bmr 
x(m+m ) (mx-r) (r-mx) ——(r-mx) 

= g D m D m D g D 

~((a+bm)r+mx+r-mx) ^-(r-mx) 

= g D g D 

(a+bm+l)+ — (br-bmx) 

= g D D 

mr 

— (ax+x+br) 

= g D 

—(ar+amx+mx+bmr-ar) 

= g D 

—(D+amx-ar) 

= g D 

ar 

r+ — (mx-r) 

= g D 

15 =g r+s (modp) . 
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The signer produces fresh signatures because he chooses 

t = m * m(-l) = -m (mod q) according to the condition a^bm + l mod q in 

(a + bm)r + mx 

step (1) of Figure 1. The signature components r and t do not disappear modulo q because of the 
loop condition in step (2). 

Effectiveness of trans: The following verification is prepared by expressing Bob's 
signature components r' and s' in terms of Bobs input and his internal choices a, d and by using 
the definitions of P and y according to step (3) of Figure 2: 

_1 _\ r f ms-($( r+s )m' ^ ad 1 

r r = (r* y ) g m - ( m r g y ) g - m r m g y (I) 



, art - bms r f rt r r ms 

s f = r = (adrt dms) = d — (a ) . (3) 

art cort rn + t ca m+t 

Under Assumption Al, the probability of choosing a e ZZ q 4 e ZZ* q , such that r' = 0 mod q is 

negligible, and so is the probability of repeating after step (5). Next, insert the output m\ ( r\ s\ 
f) of algorithm trans into the verification equation (1) and by inserting the expressions for m r = 
nf and r' according to equation (2): 
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y m ' +t ' m ' m ' s ' r frr 



art-bms rt ms-G>(r+s)m' d ad 1 



com' _j -d 

m 



mrt ( m ad r *n+t g ®( m+t ) m ' mn ' ™' yd yr'm' 



r* j. , dtfis i rt . -®(r+s)m' (ms ad i f 



_ m m+ y (m r m+t g m+t y )~ mr g ® ®(m+t) 



= (m ms r n g~ (r+s) y m+t )' ^g r+1 " a m+t = g"' + *" (mod p) . 



For the final rewriting use the expression (3) for s f . According to step (7) of Figure 2, Bob 
produces terminated pairs because f = -m\ This guarantees t'*0 mod q because w' is presumed 
not to disappear modulo q. The signature component r' does not disappear modulo q because of 
the loop condition in step (5). 

Restrictiveness: First consider private key related attacks. Consider a polynomial-time 
attacker who has obtained n e IN valid pairs (m h (r i} s u **)) of messages and signatures for i = 1, 
n from the signer. The signer has chosen r { = m\ l g hl mod p 9 and has computed the signature 
components s if U according to Figure 1. The signature components n release no information 
about the choices a i} b t to a polynomial-time attacker, so we need to look only at s t and h 

According to Figure 1, Si =- L± t i , which reveals the signer 's choices a*. From the U , the attacker 



learns the following system (4) of n linear equations over ZZq in n +1 variables, namely b { , x for 
i=l ,...,«: 
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nfa ~ m i x ) = l Mi r i + b i m i r i + m i x "> 

(4) 

<=> b^r^ + m i x(t i +m t ) = - a^t; . 

The values x and b f are undetermined because u , /«,• * 0, and therefore valid signatures release no 
more information about x = \og g y to a polynomial-time attacker, than j> itself. 

Next, show that an attacker who has not received any valid RUST signature with respect 
to a public key j cannot feasibly fabricate a valid signature for any message on his own (Case 0). 
An attacker who has got valid signatures for one or more messages m z is considered afterwards 
(Case 1). 

Case 0: By contradiction to restrictiveness (Definition 1), assume an attacker who has no 
valid pairs of messages and signatures in the first place (n = 0 in Definition 1), but succeeds to 
come up with a message m for which he has a witness co e Q that makes m, i.e., m=g™ , and a 
valid signature a. (For lack of input pairs to trans, plain identifiers are used for the outputs, i.e., 
no primes.) According to Assumption A2, the attacker uses 3 parameters a,c,d e ZZ q in order 
to build the signature component: 

r = m a g c y d mod p . 



Because m must be chosen to be , the only elements of an attacker might use 
successfully to build r are those occurring in the verification equation (1), namely m, g, y. 
Would he use any other independently chosen element h e G q and succeed to find a valid 
signature, then the verification equation would reveal a representation of A with respect to m, g, 
y 9 which contradicts the discrete logarithm assumption. 

Inserting the expression for r into the verification equation (1) yields: 

g ™ =y m+t m ms r rt = y m + t m ms (m a 'g*y d ') rt = y m+t g" m (gf g' Y* > 
which can be rewritten as: 
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r+s-c'rt m+t+d' rt n a> / ns+a'rt \ 

Since the bases g, y and g\ are chosen independently, the only feasible way for the 
attacker to solve (5) is by letting the exponents of g, y and g\ disappear. 

This leads to the following linear system (6) of 3 equations in 2 variables s and t, over 

ZZq: 

corns + cm' rt = 0 
-s + drt = r 
+ (d f r + l)t = -m 

(6) 

This system can be solvable only if the corresponding 3 ><3 determinant 

disappears: 



com coa'r 0 
- 1 dr r 
0 d'r+l-m 



= ((1 + a f + dm) + d f r)comr - 0 

(7) 

Since neither co nor m nor r may disappear modulo q 9 this condition (7) can be met only if 
(1 + a' + dm ) + dr = 0. Here, the factors m and r are determined only after co respective a\ c\ d 
have been chosen, and by Assumption Al, neither m nor r can be predicted or coerced to any 
particular value. Hence the only way to let the determinant (7) disappear is to let 1 + d + dm = 
d = 0 (mod q). However, protocol trans ensures with overwhelming probability that a dishonest 
Bob ends up with a representation of r whose exponent d of y is not disappearing regardless of 
how Bob chooses r*. Note that Bob must provide r* before the Verifier sends his d and forms 
the signature component r = (r*y) d g Vm in step (5). 

Case 1: Due to the degenerate equivalence s of witnesses, i.e., any two witnesses are 
equivalent, restrictiveness is satisfied whenever the attacker has obtained at least one valid pair 
(m, a) and comes up with a new pair (m\ a ! ) and a witness making m\ Restrictiveness requires 
no more, and thus nothing needs to be shown. 

Blindness: Show that for each fresh valid pair (m, o), where t * -m (mod q\ and each 
terminated valid pair (m\ a'), where f = -rrt (mod q), of messages and RUST signatures, and 
each choice d e ZZ* of the verifier in trans, there is exactly one input co e ZZ* and one value 
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a e ZZ * such that trans maps (m, a) to (m\ a'). (Note that the value r* of the verifier's view on 

Bob in trans is a one-to-one map of the other elements d 9 m\ r x of his view, and thus from an 
information theoretic viewpoint, it suffices to consider d 9 m\ & as the verifier's view.) In the 
following, all steps refer to protocol trans in Figure 2. 

5 First show there is at most one pair (a, to): It is immediate from step (2) that the blinder 

co = log™ rrf is uniquely determined. Furthermore, for each d e ZZ * is obtained from steps (7), 
(6) and (3) in turn the following expression for s'\ 

rt 

art ms 

s , = art - bms r , = adrt -Vdms r , = m + t yl ^ g) 

cor/ (£>rt (tidrt 

10 Since all r, t, d, r\ (m + t) are presumed not to disappear modulo q 9 the internal choice a 

of Bob is uniquely determined as follows: 

cos' ms 7 

a = 1 mod q . 

dr r m + t 

(8) 

Next show that the uniquely determined pair (a, co) from above transforms a fresh valid 
15 pair (m 9 a) of message and signature into a terminated valid pair (m\ &). Since (m, a) = (m 9 (r, 
s, t)) is presumed a fresh valid pair, we can rewrite the verification equation (1) for (m 9 (r 9 s, t)) 
as follows: 

g ™ = pk m+t m ms r rt 
<=> r rt = g r+s pk- (m+t) m- ms ,wheret*-rn (mod?). 

(9) 

20 Furthermore, the unique a in equation (8) also determines a unique Y in step (3), namely: 
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ms -(x>(r + s )m r a ms - (o(r + s )m T s r ms 

y — — ( 1 J 

<j)(m + t)m f com' ($(m + t)m r dm'r' ®m'(m + t) 



= -( + tt;J (modq). 

rn+t am r 

Next, evaluate r r according to step (3) by inserting r rt from equation (9), a from equation 

(8), p = rtl{m + 0 from step (3) and Y from equation (10): 

_\_ 

r' = (r* pk/g m ' 



= (m a r*g y pk) d g~ m ' 



Yt A A 1 

d yd ; , 

m ad r m+t g m pk d 



d d _± 

= m ad (g r+s pk- (m+t) m- ms ) m+i g 1 ~™'pk c 



ms' ms . . d , r+s s' 1 
( + )d -( + )d 

m dr' m+t ( g r+S m~ mS ) m+t g m+t ' 



(as' _. s' 1 

m r ' g m ' r ' m ' (11) 



s' s' + r' 



-m Tr ' g m ' r ' (mod p) . 

Finally, check that the values m\ r\ s\ f satisfy the verification equation (1) if r ! is 
inserted from (11) and use f = -ni mod q from step (7): 
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pk m ' +t 'rn' m ' s ' r trr = pk m '- m 'm m ' s ' (m" f g~ mY y r ' m ' = g r ' w (mod p) 



This concludes the proof. 
A restrictive blind signature scheme has been presented that allows a recipient to obtain 
signatures for arbitrarily many (correctly formed) messages after only one interaction with the 
5 signer. Signing, transforming and verifying costs two, six, and six full length modular 

exponentiations, respectively. For transforming and verifying, count the exponentiations of Bob 
and of the Verifier in trans, respectively. This compares to two, five and four modular 
exponentiations of the signer and recipient during the signing protocol and verification of the 
~ one-time restrictive blind signature protocol proposed by Chaum, Pedersen [CP92] and later by 
110 Brands [B93]. 

i Various illustrative examples of the invention have been described in detail. In addition, 

i however, many modifications and changes can be made to these examples without departing 

from the nature and spirit of the invention. 
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CLAIMS 

What is claimed is: 
5 LA multiple use ticket method, comprising: 

providing a blind signature in a ticket, the signature having a multiple use; and 

developing a blinding value for the signature in a reproducible computation using a seed key 

substantially known only to the issuer of the ticket. 

10 

2. The method of claim 1 wherein said signature has a built-in expiration. 

3. The method of claim 1 wherein said ticket is an electronic personal ticket. 

15 

4. The method of claim 1 wherein said ticket is an electronic season ticket. 

20 5. The method of claim 1 wherein said ticket is an untraceable electronic personal 

ticket. 



6. The method of claim 1 wherein said ticket is a personal license. 

25 

7. The method of claim 1 wherein said ticket is a personal driver's license. 



30 8 The method of claim 1 wherein said signature does not require an interactive 

signing protocol. 



9. The method of claim 1 wherein said ticket is an offline personal ticket. 

35 

10. A system for generating a multiple use ticket method, comprising: 
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means for providing a blind signature in a ticket, the signature having a multiple use; and 
means for developing a blinding value for the signature in a reproducible computation 
using a seed key substantially known only to the issuer of the ticket. 

1 1 . The system of claim 10, wherein said signature has a built-in expiration. 

12. An article of manufacture for a computer system, for providing a multiple use 
ticket, comprising: 

a computer readable medium; 

computer code in said computer readable medium for providing a blind signature in a 
ticket, the signature having a multiple use; and 

computer code in said computer readable medium for providing a blinding value for the 
signature in a reproducible computation using a seed key substantially known only to the issuer 
of the ticket. 

13. The article of manufacture of claim 12, wherein said signature has a built-in 
expiration. 
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ABSTRACT OF THE DISCLOSURE 

A multiple use ticket generating method is disclosed which enables a recipient to obtain 
signatures for arbitrarily many (correctly formed) messages after only one interaction with the 
5 signer. The method provides a blind signature in a ticket, the signature having a multiple use 
with a built-in expiration. Then, the method develops a blinding value for the signature in a 
reproducible computation using a seed key substantially known only to the issuer of the ticket. 
The method implements a new class of signature schemes almost as efficiently as do previous 
one-time restrictive blind signature methods. 

10 
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( r,s,t ) <- sign( x,m) 



(1 ) Choose a,b e R ZZ q such that a + bm^-l (mod q) 

(2) r <r- m a g a mod p 

if r,r- mx or(a + bm)r + mx = 0 mod q, then repeat from step (I ). 

„ s , mx-r r - mx . 

(3) (s,t)<r-(ar ,m ) 

(a + bm)r + mx a + bm)r + mx 

Fig. 1. Producing a signature 



(m' ,(r f ,s' ,f ))<-trans(y,m,( r,s,t),G)) 



Bob Verifier 

(1) Choose ae R ZZ q Choose d e R ZZ* 

(2) m f <— m w mod p 



m + t Q)(m + t)m com 
r* <r- m a g y mod p — 



(A) <r 



d 



1 



(5) r'<^(r*y) d g m ' mod p r'<r-(r* y) d g m ' mod p 
if dr f = 0 (mod q ) then repeat from step (I ) . 

(6) (a,b)<^(ad,$d) 

(7) (s',t')<- ( art ~ bms r > mo d q,-m ! ) — s -^> accept if verify (y,m f ,(r f ,s f ,? )) 

wrt 

Fig. 2. Transforming a signature 
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PATENT AND TRADEMARK OFFICE 



Declaration and Power of Attorney 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my 

name. 

I believe I am an original, first and sole inventor of the subject matter which is 
claimed and for which a patent is sought on the invention entitled METHOD FOR 
GENERATING MANY-TIME RESTRICTIVE BLIND SIGNATURES, the 
specification of which [X] is attached hereto Q was filed on as U.S. Serial No, 

I hereby state that I have reviewed and understand the contents of the above 
identified specification, including the claims, as amended by an amendment, if any, 
specifically referred to in this oath or declaration. 

I acknowledge the duty to disclose all information known to me which is material 
to patentability as defined in Title 37, Code of Federal Regulations, 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, 1 19 of 
any foreign application(s) for patent or inventors' certificate listed below and have also 
identified below any foreign application for patent or inventors' certificate having a filing 
date before that of the application on which priority is claimed: 



I hereby claim the benefit under Title 35, United States Code, 120 of any United 
States application(s) listed below and, insofar as the subject matter of each of the claims 
of this application is not disclosed in the prior United States application in the manner 
provided by the first paragraph of Title 35, United States Code, 1 12, we acknowledge the 
duty to disclose all information known to us to be material to patentability as defined in 
Title 37, Code of Federal Regulations, 1.56 which became available between the filing 
date of the prior application and the national or PCT international filing date of this 
application: 

U.S. Serial No. 60/161,062, filed October 25, 1999 

I hereby declare that all statements made herein of my own knowledge are true 
and that all statements made on information and belief are believed to be true; and further 
that these statements were made with the knowledge that willful false statements and the 
like so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 
18 of the United States Code and that such willful false statements may jeopardize the 
validity of the application or any patent issued thereon. 
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I hereby appoint the following attorney(s) with full power of substitution and 
revocation, to prosecute said application, to make alterations and amendments therein, to 
receive the patent, and to transact all business in the Patent and Trademark Office 
connected therewith: 

Samuel H. Dworetsky (Reg. No. 27873) 
Thomas A. Restaino (Reg. No. 33444) 
Michele L. Conover (Reg. No.34962) 
Benjamin S. Lee (Reg. No. 42787) 
Robert B. Levy (Reg. No. 28234) 
Alfred G. Steinmetz (Reg. No. 2297 1) 
Cedric G. DeLaCruz (Reg. No. 36498) 
Rohini K. Garg (Reg. No. 45272) 
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Thomas M. Isaacson (Reg. No. 44166) 
Gary H. Monka (Reg. No. 35290) 
Jeffrey M. Navon (Reg. No. 327 1 1 ) 

I also appoint Christopher A. Hughes (Reg. No. 36,914), John E. Hoel (Reg. No. 
26,279) and Joseph C. Redmond (Reg. No. 18,753) of Morgan & Finnegan as associate 
attorneys, with full power to prosecute said application, to make alterations and 
amendments therein, and to transact all business in the U.S. Patent and Trademark Office 
connected therewith. 

Please address all correspondence to Morgan & Finnegan, L.L.P., 345 Park 
Avenue, New York, NY 10154-0053. Telephone calls should be made to (202)-857- 
8011. 



Full name of first or sole inventor: Gerrit Bleumer 

Inventor's signature 1 

Residence: Beethovenweg 15, 16727 Velten GERMANY 
Citizenship: German 

Post Office Address: Beethovenweg 15, 16727 Velten GERMANY 



18289J 



